Risky Business #631 -- USA and friends send nastygram to China


Hi everyone and welcome to risky business. Your weekly information. Security news and current affairs showing. My name's patrick. Crepe this week show is brought to you by signal sciences which is ipod of possibly these dyes and instead of booking an interview with one of its staff they suggested we interview one of its customers so this way guest is. Jj who is the of compass the american real estate website. He'll be joining us to talk about his general approach to things and Yes sciences obviously a big part of that but he'll also i speak to automation and orchestration and a bunch of other stuff. That's interesting stuff is coming up after this week's new segment without a boiler which starts now. I can't believe i get to use this sound tossing two weeks. But what are we going to talk about. Let's say china. China china shop china china china. It's only about china in the front of this week. Shar the united states. And what is this something. Like thirty other countries have pulled on the cranky pants and issued. I sternly worded statement yes. China has been told that some of its activity in the suburb is contrary to its stated goals to be a world-beater and it's unacceptable. And you know this. We've seen oversee china during a bunch of bad stuff for a long time in in the cyber and stony where his are certainly one way to address it. But you know this is a whole bunch of countries putting out a coordinated reason you know. Some countries wouldn't traditionally have gotten on that bandwagon quite so fast and new zealand. For example often say bad things about trying for trade reasons simile as strategies. Been doing a bit more of that lately. But a whole bunch of european union countries And yes i'm some sternly with this yes specifically they calling out the exchange palooza hacks. That's what we call them anyway. The half the stuff they also. Interestingly enough the a statement from the us government from the us saad says that they were conducting were people aligned with ms whatever. We're conducting ransomware attacks. I think they'd just referring to that trash ransomware. That didn't really work. That was deployed against some of those exchange boxes. But there's a whole bunch of stuff separately. They've indicted for Mss operators right and also released a bunch of information about chinese intrusions into critical infrastructure in the united states. Dating back about ten years. Yes and seeing some. The government got follow ups mattress there. You know we're we're in the private sector. We've certainly seemed pretty concrete. You know statements about who did what but you're having the government put their stamp on that does give us some pretty solid data points to van attributing other actions in the future to be able to go back and say hey this was attributed to a governed by another government and we've got a more concrete data points of than you know when it's all private seconds using different names and you can get a little bit confusing. This is a useful thing what this means in terms of the big picture. I mean you know compared to a slightly stern align. Perhaps we've taken with russia whether or not this has the kind of tastes that people want to see given the very long backstory and extent of chinese activity over the and all the benefits. They've gained from that. You know the problem is right when you look at if okay. So you want to sanction russia by targeting and soil and gas gazzetta. You're gonna piss off all your european allies right. That is affect. Europe needs that energy from russia. And they're not going to to the us getting in the way of that. Similarly with china you that if you actually put meaningful sanctions on them. China knows how to play this game. They know how to play doty. And there are a lot of very large american companies that have critical business interests in china. So that's just one thing. I want people to consider when this this discussion of like. Why don't die gohar. That's why don't gerhard because they'll be consequences if it got harder even some of the more wishy washy stuff. Australia's been been having gone on with. China has turned into some pretty dirty play with some of your industries and exports. So you have. I absolutely do understand how to play that game. And i think you know when you look at the size of the chinese economy. And how reliant we are on you know all of the things they yes. It is a real complicated. Say that geopolitics the after dance around but on the other hand china has been pretty audacious a and you know. I know. there's a few people are saying well. Hey you know the us and all of the allies do many of the same things. I think that's the you know. The angle of tying in some of these operators are doing time. That's not the stuff that the united states is complaining about the us its allies. They're not complaining about collection. You know they're complaining. About just rampant exploitation of exchange boxes will and crime staff and like okay complaining about the stuff that that they should complain about. It seems pretty reasonable to me. Yea lucky shell a couple of government agencies five. That's totally fine. One hundred thousand exchange boxes. Okay perhaps there is a little bit of a line. Apparently one thing i'd point out too. Is that china had very limited success in punishing australia. We were all pretty concerned down here that they were gonna destroy some of our export industries but ultimately those goods just found the markets. It's like bali right. That was one of the first things they hit. They put huge tariffs on australian bali and as a result you know chinese importers bali bought from other markets and then there was a shortfall in those markets. And we just sold to them. I mean that's the advantage of being commodities commodity economy. I guess right but you know another thing too is as part of this whole thing. The chinese embassy in in camera is apoplectic. Gone completely over this. Well that's good. I guess you know having the finger point of that you know that's having mind maintain face israel important and the certainly some pretty clear messages that you know that they have been seen end up being pointed out right now so we have to see whether that resulted in any change in how they approach things. I don't know about that now. For some more thoughts on this. I actually asked. Katie nichols who is the director of intel at red canary to give us her. Take on this whole thing and this is what katie had to say one of the things. I think it's important for this community to remember. Is that this series of documents and actions against china is really meant to be strategic messaging by the us government and the biden administration and its allies. This isn't really meant to be some tactical release of information that's useful for network defenders right now reading through that presidential statement and the various documents you can tell this is really the biden administration saying china. Your behavior in cyberspace is unacceptable. It's a naming and shaming the details in the indictment for example clearly are meant to send a message to china that the us government and its allies. Know what they are up to and they have known what they've been up to in cyberspace for years and years. It remains to be seen. How effective this messaging will be and one thing that a lot of policy wonks are rightly pointing out. Is that this kind of naming and shaming likely isn't going to be sufficient to deter china from doing this future Likely other follow on actions like economic sanctions would be needed to really change their behavior. One other thing that's notable about this particular action is how broad of an international coalition was involved often. The us government will issue indictments. That's not really new. But this was really a global action. Nato got in on this u k the e u australia japan. And so i think that's important. Because the more countries that are involved perhaps the more compelled china will be to change their behavior at the tactical level really important to understand that this series of documents and the indictment were really a grab bag of information about different chinese actors. So in the presidential statement they mentioned attribution to china for the exchange exploitation activity. That was really already known. Microsoft already attributed that activity to the group known as a half neom which was suspected chinese state sponsored so half neom was one of the groups involved then. The indictment was on a group known as abt forty than separately. Ncs's mentioned ab thirty one. A different group was in there. And that presidential statement. There's actually information about some brands. More operators that seems like they were moonlighting not operating at the act at the request of the chinese government. And so that's at least four. Different clusters or groups of actors here can become confusing from a defender perspective to of divide those outs. That's one important thing to remember is that there are multiple groups here and i think what that tells us is that this was really an effort by the us government and allies to say we know about a lot of activity across many years that was katie nichols red canary. The big thanks to her that now we're going to move onto the big news story of the wake and some organization. Based in france called forbidden stories somehow obtained list that it climbs is fifty thousand targets of the israeli. I found my way mica in. Sr group i worked with a whole bunch of media outlets and of course they did this. Big coordinated splash some of the coverages. Quite interesting talking about dissidents and journalists and all sorts of people who've a apparently being impacted by the so-called pegasus malware. But i gotta say this whole thing just doesn't feel quite right to me We've seen some extremely strident denials from not that you can put too much faith in them but one thing that strikes you about over coverage when you read it is no one really talks about the providence origin of this list of numbers and that frankly isn't good enough. I don't think yeah. This is really interesting story. And reading through the coverage at certainly comes across a super compelling and some of the publications in fact coordination between meteorologist and research is an amnesty and so on has been really really good right. There's some really good quality work but to my mind that this kind of three pots of the story. right there is this list of targeting based on providence. You know that we don't know. There is a bunch of of analysis of pegasus infrastructure building on a bunch of high quality with citizen lab over the years and other other organizations that are investigated in his delivery infrastructure and then this forensics on a number of compromise i funds And those latitude seem pretty. Solid like read through amnesties published. A whole bunch of detail. About how done for instance on the phones and how got artifacts of pegasus malware on those funds and tied that back to previous work from From other researchers had that reviewed like that old looks really solid actually produced a toll that can look at and backups and check for into a compromise for this kind of pegasus family of Of tackles and malware and the the network infrastructure side of an oil bunch of demands a bunch of their proxy networks. A bunch of smart fingerprinting work that also looks really good and this the first part which is targeting list. And there's almost no information about where that comes from even really what it means. And that's where most of his denials are focused is that this is just unlisted numbers. Some of them can't be targeted by pegasus. Because they're in the us for example and say that part of the story is way less transparent than the restaurant and that's the thing that stood out for me reading the coverage. Yeah and the denials along the lines of hey we've only got like forty five customers an all of them and i only target one hundred people a year. You know. this doesn't really make any sense to us. And sir i mean hindsight it. But i just think there's more to this story then what's being reported and i don't know what that more is. I've gotten idea but there's more going on here. I mean it can be bad actors and some of these reporting can also be incorrect. It's just. I feel like what what's going on here is that because of the publicly identified boogeyman. Every time we see something bad we kind of ascribe it to them. It's almost like the loch ness monster and they kill. Jfk kind of rolled into one. Do you know what i mean whereas this is a very big space. I also wonder about some of the forensics. I mean you know. everyone knows. I'm not an expert in forensics and whatnot but sometimes you wanted to high. Is there some sort of shared framework that some of these companies use to develop the implant side of this and my focus their efforts on the exploitation side. How do we are that these forensic artifacts shared between different spyware makers right so. I just think there's a lot we don't know you're here. And i would feel a lot more comfortable if we had better information about this list because as you say there's a lot of really compelling stuff here when it comes to phase two and three but the list is what gives us the scale right you with me. Yeah yeah i am all of the headlines this world leader or this family member of an opposition personal journalists. Who have like that. The human aspect of this is really where the focus is on and a lot of the quite good Reporting has been on that human side of it and when you look at the forensics on devices right. They've got something like what sixty something devices embassy looked at of which they found signs of pegasus on thirty something. It's funds because the Forensic artifacts are stronger on that platform then on android but when you go to target list of fifty thousand then draw the conclusion that that implies some that all of those people will also targeted. That connection is a little bit flimsy. And there's been a couple of suggestions. I think like the guy. In the guardian story there was some mention of this phone number coming from an angel. Look up we mentioned as i'm thinking one of the arguments. Now i've seen i've seen this thing pop up and i and i've got no idea. What a high chela lou copy is so i'm guessing half the audience thousand eight. Can you explain that to us so the enchiladas the home location register which is Sort of like a directory service for a mobile phone number to which mobile carrier is responsible for where it's being because you want to send a message microphone coal one of the first steps. Is you query late. July fourth that carrier to find a way to go direct that mesa jaw cold set up process and so i guess the suggestion here is that as part of sending a an attack amusing me pegasus framework to target. There is a state where you do. And i told i look up for networking and presumably. Then that's where they would also apply checks to kinda restrict who could be targeted and There was some mention of like a number of public. I'll look up services. I mean this is the thing you can just go and do all pay for access to or do yourself. If you're on the mobile network so the suggestion. I guess there is that Someone either works nitrile. I look place or sheldon install logs or whatever else And maybe those tied to an api key that's related to nso. Or an or. And i pay all. Maybe there's some way of attributing use of an ideal. I look up seven summer the incident to users of of any sorry wall somebody else's thing and that's the kind of time but we just haven't seen any data other than there exists listed numbers some of the people on that list have been targeted by pegasus malware according to device forensics and network forensics And that's kind of about where we're at There's also some of the network evidence some of the artifacts We're pegasus has been delivered through network redirection Implying that was done with the cooperation of my book area which in a situation where they bought the service and have deployed into the local mobile operator. That would make sense of that. Also can provide some way of tying all these things together the numbers like if you have Logs for some of these redirections occurring. So yeah there's a few bits and pieces there but we just don't know enough about this list of numbers to really conclude what it means to be on that list. Who's on that list of where it came from or anything like that. Yeah which is that's difficult. Yeah it is and again. I mean i'm not saying this in defensive right like i give about public standing but i guess i'm just cautious with this one because this is an industry that's a lot bigger than people realize ryan and just because you've got one publicly visible. Boogeyman doesn't mean they're on other boogie. People out there and those boogie persons could be using shed components. I guess is what. I'm getting got st think. That's an old plausible. Yeah and certainly you know building a good quality implant live and be deployed and has all the features you want. There's no reason that you couldn't buy that from some other van der or you know. There are other components as a service. Like we've seen this kind of as a service model or at this kind of very specialized sub companies selling services in the crime. World it's not unreasonable that you would that in the defense intelligence and spooky world as well. I mean the one thing that i've believed in s o on is that they can't target plus one numbers. Because you know the reason. I believe it is because they just don't need the grief and also because we haven't seen cases of pegasus allegedly turning up on on us based foreign with one phone numbers right. There's a few examples in the stories here of. Us officials overseas the really funny one was in one of the newspapers. I think it was washington post without talking about how are an american official involved in the nuclear deal negotiations with iran got. He's fine lines and if that's not an example of appropriate collection. I don't know i don't why highlighting that one because he's american but that was one where i believed an sr. I further clouded the whole thing because he was a plus one number. But anyway as i say i just think i just think hopefully this shakes out more reporting and more facts and we can actually get a get a handle on the extent to which this activity is attributed a- attributable to nso versus two other bad actors Because there there are plenty. Yeah exactly right. This is a much bigger interested than people realize. And anything that increases the visibility of it is probably useful And yeah it's a you know. Every little bit does add up to the bigger picture story. And you know there's just so much uncertainty and so must be done now in someone's stuff that happens in kind of in the shadows in places that onc reported that it is very hard to draw the right conclusions the first time and as we get further into it. Obviously we'll get we'll get a bit better. The city's interesting data points in here for future research and there was one bit i saw on the. Us targeting angle where there was someone who had a belgian phone but they went to the us and the pagan stopped working whilst they were in the us started up again when they went back home or something like that. So you know this interesting daughter in there. Yeah yeah sure is an look. This isn't to say that this reporting is inaccurate. For all we know it's perfectly one hundred percent accurate. It's just my spidey. Sense just has gone a little bit. Yeah exactly like there's definitely stopped. We don't know about here and it's hard to draw exactly the right conclusions from what we've seen so now let's talk about candy ru which is apparently another israeli firm that is a so called hack fajar company citizen lab and microsoft has have put out for year. Yeah this looks at A number of zero day blogs and other pieces of employment now where deployed by a number of governments. A couple of months we've seen attributes are From the this this commercial vendor. We talked a bit on the shower about some of the other. Commercial van does We talked a little while ago. Google google tag put on a blog. Post saying hey. We've got some zero diane chrome and safari and internet explorer that we attribute to commercial company but but didn't say who it turns out that this is who they were talking about. Yeah yeah and you got to wonder too if headlines this continue and if exploits like this cape being used irresponsibly seems to be a big industry in israel and you got to wonder at what point country stop putting out nasty grams referring to israel right. At what point does this become a problem for israel. I do wonder that. Yeah i mean it's a good question especially you know with some of the ina stuff where we saw arena. It's specifically other countries in the gulf. You wear the political relationships and the commercial relationships perhaps on exactly as everybody expects you know hero. Seeing israeli bugs being used to talk armenians. Yeah the relationship between israel and meaner is like yeah. You could certainly imagine if we saw this being deployed in some other countries. Bugs directly attribute oreilly vendors being deployed in australia or new zealand. For example what that would mean in terms of a political relationship. You can imagine it eventually becoming an issue. Yeah i could get a little auks. That's for sure. I think could even get a little bit awkward. Even if you're not talking about citizens or allies it's just like you know if there's still that indiscriminate targeting of people who are like enemies of d states i think that can still turn into an issue but time will tell and look moving on speaking of this. You just alluded to the fact that some bugs. We're used against armenians. Google tag put out this excellent blog. I talking about a whole bunch of activity and some of it was looking at. Some road is being used against armenian targets. There's been a bunch of news. Articles spun out of the of the tag research. That research of course comes to us from mattie stone and clement lesean so yeah let's talk through these ones adam i mean again ameinias targeted with swagger. Vote is no real surprises. They given that recently a war. Well yeah exactly these. Some of these bugs google of his tracks zero to that. They've seen being used in the wall and the quality of information available to them to do that is pretty unique. Aggregrate perspective being bertha browser vendor. And a really good kind of security resets crew but yeah they put together right up of Couple of commercial crime blogs from kangaroo that they've seen being used at the same bug Also impacted our pasta. Cross the apple of it in the targeting of safari uses and those are interesting by where rather than escape the browser sandbox they would actually run the exploit cardio inside the browser sandbox turnoff same origin policy and instill cookies for the services that the browser was logged into In this case you know microsoft cloud services and that sort of thing i mean y y takeover the endpoint when you just want the web all right well exactly right. And we've seen some research is talking about this kind of avenue because the browser is the whole operating system as is in the restaurant. Just kind of support plumbing for that then yet why bother escaping the sandbox. If you could just make cookies and pass them off. This haptic apart was attributed to our one of the other russian state organizations but yeah really. Smart targeting technique rather than waste the sandbox skype. Well i think that's why. Google spent so much time looking at Tab isolation writing chrome is exactly that reason. Meanwhile google's patched another crime o'day it's the eighth for twenty twenty one so it's just a sign of the times now. I think it was last week or the week before. We mentioned that there was this maybe even a few weeks ago. We mentioned that there was this really silly little bug in iphones. Where if you set funny and got it to connect to that are verts wifi it. Would you know brickley. Foreign basic brick the wi fi functionality. And you know at the time we're like well at least it's not exploitable about that about that. Some researchers from ops turned out yes. They could leverage vis through ten code execution via some. I mean you know. It's string bogs have obviously had plenty of success as an explanation of the pasta about yeah threes some manoeuvres interaction with that crash patent crash thumper or something They managed to turn that into us after free and code eggs which kudos to pull in that three to making it work but oh dear. Yeah that's that's not right. Being nearby a wireless networking getting yourself shall knock knock good now look just spent the front half of this shar talking about you. Know exchange exploitation about full intricate detailed intend exploit chains and subsequent implants. We're talking about brides browser rhode island. These are really fall into the category of internet reopen. Okay but now. We're gonna talk about the deadliest incident weapon. Adam this is being used by you. Know huge publications and newspapers around the world have been talking about this deadly cyber weapon in in the case of the cassia ransomware attacks. The a lot has been made of the fact that ransomware crews out they using rda. Now they're using ouray now. People would have heard me in recent programs saying look not all created equal. And maybe we shouldn't can flights. Maybe we shouldn't conflict the trash oday that ransomware cruiser using versus government. Low days that he used for violence. We now have some details on the bug. That was used in this kasai ransomware attack. Adam drummer will please. Will you please tell us about this deadly cyber weapon that should have all quaking boots so the piece of code that checked the password being submitted during the log in process took a science software Basically had a loop that ended with if we got through all of the other conditions in the loop. Then let's return through. This is fine user as good and this particular say is the password wrong. Okay we'll have. It is thin file and and so on and so forth had about two chicks. It didn't actually check for the password. Just not not being. There was no then. We'd just full off the end of the loop end of etiquette here. It's been a while since we broke out sad by. Yeah sent me well. Well deserved here. Yes this is a great example riddick. Pretty terrible bugs. I think lots of fantastic hackers will remember this kind of bug from. I mean ten fifteen years ago the sort thing that would happen but i guess this car was probably fifteen years old because that's kind of feels about the vintage but it's just making me feel like i'm taking crazy pills reading the coverage about oh ransomware crews are using o.'day. There's a big difference between the sort of stuff that groups paddling submitting annul password. Mashing buttons on the cable and getting chills yes. There was a little bit of a different there. You would certainly hurt. This casado was not worth the you know hundreds of thousands of dollars or whatever. You're going to flog off a fine. Irs expert china for air. But just remember that policy wonks fellow. Journalists isn't okay there is some nuance there. Actually quite a lot. So that's something to keep in mind on this. Show some thomas it works. Let's just let's just not hold up that sort of thing as an example of ransomware crews moving into dangerous cyber web territory like god. Some ransomware affecting a cloud provider cloud star. This is i managed service provider for a bunch of industry sectors. This report comes to us via catalan partner for the record. Yeah this is a cloud service used by a number of like real estate services and associated organisations And it looks like brought golden all the data Locked up all whatever else And yeah number of organizations have now found themselves dead in the water because of their of their service provider just disappearing and they said That it's a very very sophisticated that means it. Work succumb to it worked. Apparently they got the backups. To i saw some discussion of that on onto rut row. Well that's not a not a great time. They're going to be a strong. We've seen this kind of service provider sunni on the more pressure to garp pay up Than perhaps individually news organizations much like. I was being pressured to pay for my ski for everybody. You know. i'm sure anytime. He had a cloud service provider. They going gonna really pile on the pressure and we'll see what they pay. Yeah now look at one thing. I wanted to discuss. This week is last week list is would that you on site box and had a bit of a rant about how i'm there's no real product testing for. Us government purchases. Right of like you know if you wanna buy an f. five or whatever you don't have to test it you don't. There's no sort of standard that thing has to meet. And that's maybe a bit of a problem. And i was saying maybe they should have to commit to bug bounty programs and stuff maybe administered by the government in conjunction with one of the platform. Since then you know we've been really looking into this and it turns out First of all there is such a program for cloud providers which is of course federal right which everyone heights but it actually serves a purpose so if you wanna sell a cloud service to the us government you need to be able to show stuff like yeah we got. We got at penn tested now for products. There is nothing simla but that is actually changing because of a recent executive order. What's happening now is nist is actually working out. The details for what organizations will have to essentially become approved vendors. I just thought it was worth mentioning that given it with something. We kind of touched on last week. There is actually a little bit movement. Here yeah this is good to see and this is good to see moving in a relatively rapid price some in developing this kind of framework and then getting all the necessary. Bits and place you know is normally would be a really long process. I'm seeing this movie. But quicker is reassuring. Nest have got some guidelines now around we know what what is critical software that needs to be kind of a shoot. And why is that. Haven't been in the pasta government. Use and got some guidelines for example for develop developers should tested products before they sell them to the us government of critical software to thumbing through the documents. It's actually pretty good. because it's not about critical infrastructure. It's like anything that like. Is that the network boundary and has any sort of privilege that's critical you know and it's like you read through it okay. Someone put some thought into this. Yes that's odd. Having a broad coverage of what's applicable what is important in my god aspects of supply chain. And making sure that you're able to you got ties in with this software materials idea that we've seen kicking around So this does extend to components and all the way up into the supply chain which is important the guidelines for develop a testing Are also pretty interesting. I've got recommendations about threat modeling. About what a minute. Testing and use of Heuristic spot key material and that kind of thing are there isn't it doesn't seem to be on my reading of it to be requirements for external security testing and tasting carter view that kind of thing outside of the organization yet which when we were talking last week. I guess. That's what we're really thinking was external validation than i think. That's coming actually. Maybe i'm going to have to dive into this more. But i think i think that might become criteria. Yeah i hope it gets there but them and this this focus so far on what. Maybe maybe not. Maybe not but just for testing yeah. I'm having some tasting would certainly be would be in my opinion giving them a task as seems but not even having guidelines for developers to suggest that they use fuzzy. Does yesterday use card coverage by tools. And that they test for previous bug causes. These are all really sensible suggestions and if this was a minimum baseline standard then. It's pretty comprehensive for that. Although obviously there's always more that we can probably should do. Yeah i'm and finally enough just like and this is what i say. I said on twitter a couple of days ago that this week's news is just like the perfect narrative arc ron. Wyden has just been blocked by the gsi. The general services administration the us he was trying to f y the details of how on earth zoom got approved by ed ramp. Use like a couple of weeks before that really awful bug showed up. I mean these things can happen right like as it turns out like they've they've done a pretty good job especially since the onset of the pandemic of really making security a bit of a focus on but it just goes to show that yeah you can you can ram stuff through any sort of process like this and give it a tick and it can still be a can still have problems and can still be rubbish. I mean this is why last week i was talking about the bounty side and look i understand. That bounties can be problematic right. You get a lot of junk reports you can only do so much with black box testing and stuff but i still think they should be there for when say someone like adam doing test for some bank. Who's trying to buy a product. You can go look up and see if there's the bounty program You know being being administered by the us government in in with with one of the platform providers. And you can throw that bug in there as well as in your report and it gets to the vendor and you get some cash right so i think there's some stuff that could be done there as well. Yeah but certainly even just making the prices of dealing with the vendors more straightforward one of the great things. The bug batty programs have bought to the party because them and trying to report bugs to always. It's always worse than actually finding the dan bugs in the first place but the type of tasting and the methodology and it really does matter item. And i'm sitting here looking right now. At accelerates fed ramp certification right. And we know that when you go look in a different way then. Hey bugs bugs still fall out. And that's their cloud side as well. Which i think you might have revealed a little bit more than you intended to about some recent work you might have been doing but anyway. The united states not surprisingly is tightening up security demands of pipeline operators yes. Tsa has been very well known for lots of security theater and doing things after the fact so yes following up ransomware following a pipeline operators to make sure that they have the necessary things to detect ransomware in the environments probably does thing that needs to happen and good to see some pressure being applied but does seem a little bit reactive. There perhaps now staying with the us government and this one's kind of funny because the us state department is offering. I ten million dollar reward for information about state-sponsored. Hackers disrupting critical infrastructure. Now is it just me or does that seem like pretty narrow criteria very specific tipline. Right colonel cuddle in library with with the candlestick level tires. Only only if he was bludgeoning a pipeline. Yes oh i guess if you're one of the few hundred people that's working in whatever department that is a government agency you know in china or russia. Wherever else you dobbin one of your colleagues or stugotz diaper or whatever else then you too could timid. We do not the. Us state department has an onion site for you to make contact with them and will pay you and cryptocurrency. You know they really they really lining up for you there. If you'd like the dobbin your colleagues make a bit of cash. Go to the back see and partying with everybody else. Then you know what to do now. Ironically enough that crypto he could wind up. You could have some trouble because the us government other parts of the us treasury. they're following through by the looks at things on their plan to more tightly regulate crypto currency under the guise of disrupting the ransomware ecosystem every commentator. Who's been paying attention over. The last couple of months knew this was coming in. Not a big surprise when the usual things that you know. Have been telegraphed certifier of more requirements on currency exchanges. More attempts to deal with the know. Your customer cut staff Thanks to crack down on other ways that Cryptocurrency has been abused. And you know there's lots of avenues. That governor has been pushing it from a tax side from a fraud from a paying ransom. Sorta side of things to pull it but it is just funny saying that juxtaposition of why and government offering to pay people in criminal currency for safety and then the other half trying to track them down so vicomte pretty much. We got microsoft story here. Another one from catalan microsoft has apparently taken control of seventeen demands used by a west african bc gang. The army depressing thing about this is that it's actually news are like nuking seven. How many demands would they be doing this stuff. I'll tell you more than seventeen business. Email compromise seem such sort of quaint relic of all the time. Now that he's like he's like one of the most active crime types and he's still causing all sorts of drama out there. I mean if anything doesn't get enough attention. Yeah i guess that's what i mean. Like sir focused on on ransomware and zero lately and we do forget about the the work day honest honest gripped of being. Yeah which is responsible probably for more financial harm then ransomware. Which is the crazy look. Let's not talk about this one. But i just want to mention it. It's linked to in this week's show night's report from jaycox. He's been doing some great work in the Data privacy space lightly. And he's looking at this entire industry that exist that dayananda misers people. You by these anonymous data sets and he's he's like while they're all these brokers who just say oh. We can hardly match to pay. I which is legally questionable. But it's certainly an industry that exists. Got another one from catalan. Where instagram is rolling out new tools to help people better secure their accounts so that they can recover them which people would be banging on about this for ages. Instagram recovery floors Just such a wild hot mess out of. They've introduced a new process for dealing with accounting compromise. Where it'll prompt from things of walk you through the process of securing your account which as you say like the current parche is a little bit of a mess. So good to see them improving I mentioned our wallet out gradually given the size of the user base. And that kind of thing. So let's see immediately on your couch. I mean i've been behind the scenes on a couple of days like one account takeover that abused the trademark protection process. I someone registered trademark in someone else's name and it was just pending but they were able to use that paperwork which was against instagram's policies. But i will it anyway to seize the account and then take over the brand so that was another. One guy was damning me the other day the account anyone from facebook's listening and wants to sort this out. The account is called daniel castro photo some photographer. Reid had a decent following. It's part of his business. He's i think he got fished. And now the person's trying to sell the account back for three hundred bucks or something. But it's just and i've seen screen cap's where he was told. Click here if you know the phone number change on your account wasn't you you guys through these processes and they do nothing like that's how bad it's graham like tyco have gone it's just anyway brandy today Okay we got a report here. From the daily swig written up by adam bannister. This quite funny this is. I write up of research from the twitter us twenty years ago themselves. A bad idea bad idea on on twitter. They looked at the card. Quality generated by geared hubs new machine learning code generated called car pilot and discovered that it writes hideously insecure occurred. And obviously this is because it's been trained on. Yes exactly like this. This is how the machine learning works if you try. And the machine on the combined wisdom of stack overflow and get hub. Then you get. Something generates code of that stalin. Sure there's plenty of high-quality cone now there but his are they someone someone on twitter said to me that you know it. Basically is just automated the cut and paste from stack overflow. Exactly let smoothed out that whole develop a workflow but yeah there's a bunch of examples here of generating car that has buffer overflows in it or collard that doesn't hand edge cases properly or card that has even in this case the research who playing with it Missed some bugs that have been introduced by the then subsequently pointed out by somebody else on twitter so yeah really good example of You know not being able to rely on these. Totem picking people who develop a working in the ita that's popping up documentation a an and suggestions and things often. They quite used to that being of a reasonable standard at automotive help and they don't necessarily understand that. This has just been generated by email from a corpus of card written by randoms. Our monkeys is the problem with machine learning rush. So congratulations to bad idea. She did a terrific job there. Yeah now adam. We've got some research to talk through First off let's stop with this thing that's been reported again by the so we by jessica howarth. Apparently there was osceola. Cloudflare's cdn yeah. This is actually really bad. So this was a bog reported by research of that Essentially this cd would case. Javascript libraries and there was a process by which the cash cow phase keishi engines would refresh. Those dependent refresh the javascript dependencies. And so if you got it to kasur library that it didn't know about or that you controlled you then eventually lead to like pasta vessel anne command execution so you could possible over right like you're refreshing. Mckay override the card that was actually running to regeneration process. So the net result was code exotic in cloudflare's cnn within of course the ability to be right car that's being served to people coming out of it and this is something like twelve percent of the internet So that's pretty bad. Yeah someone found this on and reportedly either by bounty you. It's got a whole lot of that much cloudplayer for that. But that seems really bad. Now i'm moving on last week. We were talking about those forged brock bugs and you mentioned something to the effective. Well that's long abandoned. Abandoned project hasn't been touched ten years sort of thing A listener tweeted at me to that it actually did get some love about a year ago and a lot of the old son croft has actually been stripped out of it just sort. It's worth mentioning. Yes the i was sitting here referring to the very old bits of very old son infrastructure within they are if they've ripped out recently then that was a smart move plan. Excellence and now. It's time to wrap up the show adam with our skateboarding dog. I don't even know where to begin with this. But this is very ninety. S this very ninety s affecting wind ten. This is crazy. This i can actually read the sam file on winton plenty of default configurations in this year of two thousand twenty one. Shell some like i xe or hbu xbox from the eighties and you can read the unix possible file and it's still the hashes predates shadowing then. That would be expected the idea that you could do the same thing on windows box in the year. Twenty twenty one eighty is a little bit not so point this is. This is how we got free internet. Access in the ninety s. Many crimes and at some point microsoft. I think maybe going back to even a year or two ago at some point. They must have been what they were doing. But they've shipped an update. That makes the sam fall readable by bilton uses. So that's like everybody who's a local user on the machine and then you can't read it because of locking but you can read it out of the volume shadow copy service as a regular user and the few other nuances. Like obviously shattering has to return to do that. And that is the case. If you've ever had a system restore point creative. I think anyway net result as a regular use. It can just read the sam fall which is provide straight up previous on client. Those doesn't fit windows servers. It's only windows ten. After i think nine hundred nine update or something like that. But this is real boneheaded. It is what microsoft were microsoft microsoft making big set of strategic mistakes and dumb bugs botched patches. And like i go to admit to feeling it's like putting on a favorite t shirt or something you know it's it's i'm kind of glad they're bad again. It feels right because i went through a good face. I mean you know. They went through an awesome compared to active x and office ninety five. There was a moment where we're hiding. Microsoft was kind of cool. You know and. I'm just glad we're back to that. That tradition. yeah. It is a certainly very very familiar. It's concerning of course given their importance on the potential even bigger than an let it go. Let it but man. Yeah i mean there's plenty of people saying hey microsoft spending all the time selling e five licenses a not enough time doing basic security like sitting the read bit on the sam file a one a few years ago they started bunching patches and missing cycles and stuff and you thought i got some resource constraints in the pot of microsoft. That does that. Let's not kick the crap out of them for that but it just seems like things have really improved their and meanwhile they're out there saying security is a ten billion dollar revenue center for us for the murder and you just said if the bunch sancha fucking time anything away. There's a lot of very good people at microsoft fighting the good fight but they deserve better for management. They do right and you certainly get a picture when you talk to somebody who paints the remarks off to that you know. There are absolutely pockets of really excellent competence and really motivated driven people. There that are really doing good job. And then you know. There's a bunch of structural aspects instructional issues in that organization politics and some politics i e yahya are and we all so dependent on the getting everything on all the time and nationalize microsoft. I'm kidding but that's the sort of thing. The kids side as dies isn't it. I mean yeah. That'll really improving. Enterprise get the government. Could you probably could make it worse. Let's be honest dear. All right well. That's actually it for this week's news. What a great week for for news like what. Absolutely fantastic grab bag of stuff. We got to talk about this week. It was a real pleasure to chat to you and we'll do it all again next week. Thanks again she has told you. Then that was pylori there with a check of the week security news now. I'm about to do something that i rarely rarely do. On the show. And just sham lewis plug to some software. Rule of timing is the creator of multi-car the sins analysis tool and for the last few years. He's been working on his next big thing which is called vote and finally eighties. It's released and it's ready for general use. I did play around with a earlier version of automotive. And i just think it's the sort of thing that a lot of the audience is gonna us going want to check out So i asked role of to send in some audio explaining what actually is. And here's what he told me. So what tim o. Is made for online investigators. The whole business so you looking at journalists incident response anyone that's chasing bed people on the internet But i can actually totally see how it can be. Used by lawyers or academics. You know anyone that actually uses a browser to research any kind of topic for teamers software. That means your browsing experience by kind of allowing me to tag elements with elements. We mean text or images of pages and that happens right inside of your browser so you can highlight those things and say these things are important to you and then as you go to other pages the software will tell you that those tags are are seen on the pages that you on the moment it also has. Its own kind of you. I wake can have different views on the pages that you browsed so you can firstly see it as a making this browse. Oh vio- super capable but there's also said a you i will you feel the data that you've collected obviously completely of so even if the pages are removed change so all that data stays on your local drive nothing in the cloud in any of those kind of things. We've been working on this for way too long. To be honest. I have seriously anger issues with the software. So it's been two a half years. I guess i guess the reason why it took so long Is that the problem is actually a lot more slippery than you can even stockton to separate mostly because from the start of said these crazy design parameters that were really hard to achieve and those were like making a non intrusive to the browsing experience capturing all sides in how do you even taste all sides kettering all of us all of the time and running all of that stuff. Luckily without burning up the computer disk space. So i think it's tough those those were pretty tough parameters but i think we managed to find a nice compromise kind of ope. We did rule of timing. And yeah you can check out. Volume or at vote dot com. There is a free version so you can play around with it and yeah i mean it's it's just an interest to so many people even a lot of journalists. Listen to this show. So i think they should check it out to and just so you know. This was not a sponsored announcement or anything like that. I just think it's cool stuff. And you know rule of rule of his super smart guy so you should pay attention to his work It is time for this week. Sponsor of you now and this week's show is brought to you by signal sciences but instead of talking to them in this lot chatting with one of the customers. Jj aga is the of compass and he is our guest today. Compass is an american real estate website. Which is aiming to be basically a one stop shop for property listings and transactions and as a result. The dev operation is actually fairly huge. Jj tells me. I have something like a thousand ish developers now. He is a very very happy signal sciences customer. But we don't talk about you know every sciences view but obviously it features pretty heavily. I'll drop you in hia where. Jj explains that rolling out a decent for using a decent is pretty much his first step when deploying new stuff or when he's trying to manage so here is jaeger. So the first thing that typically do just give up deployed. So that i know i have my. I have visibility into my. Ap is my endpoint all the application. Telemetry that's coming and going ow where my clients for my consumers actually using to make better decisions i need. Data information to bend generate heightened alerts the alerts and then to get into a place where i could start actually blocking nbn prevention mode. And that's the goal. I wanna be to prevention as quick as possible and be able to italy as fast as possible from prevention of typically. I always just go to kind of the well and these products all around but it's been signal sciences has been a great kind of For as soon as i go into a different shops when we were confidence within the I've these this tool has been able to kind of allow me to set it up. Allow may take a big breath as i'm trying to wrap my hands around the organization and look at. How do i start pivoting. What what is the actual impose being targeted more right. Let me start building out. More detective. Preventative controls Do its thing with dr been up. Prevention is i know economically sleep at night around my my end points but i then need to make sure that if the tool of choice that i am. Picking deploying isn't agnostic or have enough extensively in its rijn. It only runs on windows. I s and that's the only hd fee service us. I am on the way. I there's nothing i can do The the program is it's if we are if we were out that point. But that's where picking a tool going back today. She's like what does hec service as long as i can. Secure that and there's a gateway for all my points all may be is being published using a zookeeper or some other. Aj proxy servers. And i had asked Around it great now have full where believers And better visibility with the ability to actually go into prevention now not trying to chase pick a product that only focuses on one. Particular niche of service of noma will help. Support your jason. Bob's great but i have x. Amount here. I have thrift over here. What are we doing. So i guess the point is if it if it is capable of receiving a get or post request being inspected at some point somewhere. Yeah i need to secure it. Regardless of the technology or where the organization goes the ideas. I need to enable our organization that goes back to how i select in Decide on orchestration automation to to really enable the businesses. It's less about if together put into the business logic in it. Let's fill out the process and great up and running but too often folks are just looking at all. Right here's a get to sequel. Great block that But what is the actual behavior. And how do you actually. Doubleclick into degenerate. A better context in higher fidelity information to to make a better decision. And i think we're often to strap with resources or two strapped with debt of tool choices that doesn't alleviate or allow us to be scalable be modular be transparent with the program because we're just kind of in the scrap fight of I mean to tabriz yeah. It's interesting that you mentioned sort of asset discovery and automation orchestration in the same. You know little chunk there because those two things are kind of linked dante because if you've got your orchestration and automation ducks in a row. Then as part of that process you understand what's being spun up and what's not now of course there's always going to be someone doing something outside of the process and that's where your asset discovery comes in but usually if you've created good automation processes. It makes a lot of the the asset discovery stuff more about catching edge cases than trying to herd cats. Yeah because if you have all your cats going through the same cic de same infrastructure that then it makes it easier to deploy a change. It's now scalable and it gets on every single. Vr number single new endpoint. That gets up as long as you're going through the repeatable processes and then my focus is to your point is just on the the edge cases chasing those down really spending the cycles where it's more meaningful. And those are the edge cases where you see companies get popped right. So that's my next question is how you actually chasing them down right because i understand that you know having a repeatable process and signal sciences where a big fan on this show because they were people who actually took wafts and made them kinda usable right very funny too because i often teased the founders about. They didn't call it away when they first launched it and then all of a sudden it morphed into a next generation wealth much too much vice calming right but it is. i mean. it's a good wife that you can deploy on multiple technologies in multiple different ways right and you get some sort of uniformity. It doesn't pretty sensible blocking so. I understand why you're a fan of it but i'm interested when someone in your org attainment your ogg goes outside normal processes and does something i will say it does something dumb. What are your what are your tools and processes for catching that. Because that's because you don't really know what it is. What the dumb thing is before someone does it. It's kind of hard. Isn't it to build a program to catch unknown unknowns. Yeah so the the unknown unknowns are just look for the creepy crawlies as my cto alexis He really likes the team. And kinda pen testing conversations because it finds the unknown right. You don't know about them. Until did you become known. And then they're no longer unknown there so with that partly just making sure you as a maverick uneven. If you're an aws shop right having just billing and payments in process asset tagging right because you could actually be in your organization within your eight of simpson's and it could be known known asset within your known space you're known pool and so those are some of the things that we really pushing. That's really interesting that you say that. So you're saying you can catch it through billing discrepancies. You have you actually. Have you read the cuckoo's egg. We've actually actually andrew peterson. Ceo of as told me to read that it is on my list behind me. Well it's really funny because the whole thing starts essentially a billing discrepancy on a big box which makes the guy curious right and then it leads down this big rabbit hole. But that's why found it really interesting that you sign that you can kind of us because obviously these cloud companies man. They've put a lot of work into make. Sure they bill you for every cent that you've used so i mean using that that tech that they've built to your advantage. Can you give me an example of of how you might use billing. You know how you might actually a discrepancy because that might be hot so you know we're we're keeping track of all the resources that are being spun up and spun down and so when we're using a tool called euro scale that the tech infrastructure team brought in a. We're now just building on top of that. And that goes back to like the orchestration and automation discussion about batting a basic. They need to solve basic billing problem right. What team spinning up. What resources in how. Much what region and to now. We're actually using that information at on top of cloud trail all the the plethora of at that. This compromise will give you to make decisions about what the business is deemed normal. So let's actually isolate all the non regions that are are are being used if we see in instance up in any region killing shooting. That's that she never exists to both going. Vote so you've got some seatbelts. There in case people start spinning stuff up outside outside of. What's allowable in your way. Because that means they're not are they going to be able to connect to our vp sierra. They're going to be able to connect to our tried and true backend infrastructure right and then you have even as simple as aws asset tagging right if an instance is not tagged with a particular team more in particular product What environment you belong in note we're going to spend it down may end. We could start a reduces company costs. A will cost is just a discussion of risk as well. So at the end of the day were reducing risk in multiple ways financial ways well as security risks of of our our landscape increasing taxes increasing Unknown assets that might be sitting there looking at security groups looking at you know what is publicly available. Those are all things that have been commoditised right of looking at. What is the security questionnaires now. D. know what security group actually does. That's the question when you respond to alert you have enough contexts. That security group is now in any any. When is the hosts that's actually attached to. It was the business. Was the application actually running on it and then is kind of caught with their. You know in in a little bit of a a rock and hard place. Where whatever decision they make impact something. When does the actual impact do. They have enough context and feel confident or empowered by the business to shut it off or do they need now. Need to chase everyone around. Because they're so scared that they're going to be looked at as the security disabled right as security locker and luckily we've taken that approach where you off from our cto ceo down. It's been you know about it. You're more empowered to make the decision until we never feel kinda conservative. there's a culture that securities the bacher where we're making these decisions in we're using automation and orchestration for operational. Excellence for better ass attacking for better or better insight to our resource consumption to also drive security controls And so that's where it's less about me in bringing in. Hey these are the new security controls that were leveraging which is leveraging the already existing controls and best practices of multiple teams to kind of empower the security controls in empower the security testing. Even for us when we make a decision on you signal sciences again it we were. We were when i first got here. Leveraging and genetics moves. Ha popsy great. No problem are i have to as air coming in. How do we get security coverage there right. What does the process. If i can't just make it as extensively as easy for a internal cut up product that wants to spend or Spin in use our technology. I'll not making the right decision to put our program company in the best place to kind of scale automate. I'm curious since the lastly acquisition have you found it useful. I mean i'm not sure and don't think that saying nar is a bad answer here. Have you found it useful that now. A single sciences kind of baked into that network edge post acquisition. Because it sounds like what you're doing is you're just pricing everywhere anyway. So wouldn't have made much difference in your circumstance doesn't make much impact me rolling against all way back to our start my security career. I worked at past networks and when we rolled out there it was through motsak and we include inside of our of eighty for instance. And so we were in line and be able to buy security controls for our customers but music. He's latte painful right just pine. We removed it from that. And that's why. And that's why andrew. Zion have lots of money. Now is because is painful. I think the you wanna be as extensible to what is my choice right. Because the cdn choices has just as another similar similar conversation about what is by him. A choice of engine exercises aj proxy which cloud provider. If you go see the end you wanna do splits. multi delivered different assets to different customers. Better last mile for asset delivery. Those are all things that have to go into a a decision for the company. And so we're really do. Love is that there's accessability had now. I get to make the decision. And that's where from any product or any tool giving person buying product the ability to build the top of to make passage into us accent user. Api's drive extends ability to their to their organization. Those are the things that are really beneficial. I think from that acquisition because there's gonna be customers that are just using fastly. Cdn and now they could just get sixi- day one and they're going to be super happy with that that decision because obviously it makes more sense for smaller shops to have that sort of integration and that brings me to the sort of final line of questioning. I wanna i wanna talk about one thing. That's really surprised me is like there's an australian company very similar to compass coal. Rei group which is i think stands for real estate australia. It's very similar sort of website. I have a family member who actually works there and they just have this massive team. I mean i don't think there are a thousand strong luck you guys. They could be. But i'm really curious. Uae a real estate listing website requires a thousand develop because just on the surface of it. It sounds like this should be a pretty simple website to run right. Why a thousand developers tell me so. I think to step back. And if you're looking. Compasses looking to accomplish the digitisation of the entire real estate transaction. At when you start searching too when you get your mortgage to when you wanna close to. You're doing doing like settlements refinances. Well right yeah. So it's gonna be full stop shop you know. That's where that night attire. Revolution revolution of the real estate transaction moves away from us arcade processes that have kind of existed on top of that. Mls is our Our region city specific state specific and so they're six hundred within the within the us. Six hundred data sources. That i need to kind of pull in using tail us. Air for us are multiple are large a in. Lt ingesting all this data and input it into his store and make it useful. Add context adam richmond too so that you could have a better search experience from just a consumer. That's one piece of hundreds of pieces that exists in the entire real estate transaction. And so if you look at the other products that exist out there if you look at zillow or rented you search for it and then reaches out to you. But no one's building up the tools to ensure that transaction could all be within that platform. Right your title escrow you collaborating messaging back the the your your aging giaga. Thank you so much. For joining us to talk through a few things there about everything from the use of single sciences orchestration etcetera etcetera. A really fun and illuminating chapman. Thanks again patrick. That was jj agassi so of compass with the chat about automation orchestration and laughs. Big thanks to him for that and big thanks to signal sciences and foschi for sponsoring this week's show and that's it. This wakes podcast. Before i go. I would like to mention that these seriously risky business newsletter is back in business and be a fresh addition going out tomorrow written by tom. Iran new edita to keep an eye out for that. I'll be back next week with more risky business. But until then i've been patrick brian. Thanks for listening.

Coming up next